Snort mailing list archives
Re: log_unified: no IP data for some events
From: Tomás Heredia <tomas.heredia () activesec biz>
Date: Fri, 05 Jun 2009 17:42:33 -0300
For example: mysql> select max(event.cid), sig_sid, sig_name, count(event.cid) from event left join iphdr on (event.sid = iphdr.sid and event.cid = iphdr.cid) inner join signature on (signature.sig_id = event.signature) where ip_src is null group by sig_id; +----------------+---------+--------------------------------------------------------------+------------------+ | max(event.cid) | sig_sid | sig_name | count(event.cid) | +----------------+---------+--------------------------------------------------------------+------------------+ | 3685058 | 1 | tag: Tagged Packet | 221711 | ... | 1970797 | 1079 | WEB-MISC WebDAV propfind access | 2 | sig_sid=1 is no problem. sid 1079 is one of the offending ones (happens both for standard as for binary rules) Cheers! Joel Esler escribió:
Can you provide a link to a screenshot? Sent from my iPhone On Jun 5, 2009, at 3:30 PM, Tomás Heredia <tomas.heredia () activesec biz> wrote:Hi all, I’m using Barnyard (0.2) to send snort 2.8.0 inline (I know, I indeed want to upgrade) log_unified data to an acid_db. Sometimes, and for some rules (not much in common among them), iphdr data is not recorded in the database (once it starts missing iphdr data for a rule, it keeps missing it for newer events). Other rules keep reporting OK. Other tools (like using snort-unified-perl) doesn’t show iphdr data in the unified log neither. It’s quite anoying, specially when the involved rules are dropping packets. Is this a known problem? Does anyone know if it was resolved in a newer release? Best regards, Tomás ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Joel Esler (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 07)
- Re: log_unified: no IP data for some events Tomás Heredia (Jun 05)
- Re: log_unified: no IP data for some events Joel Esler (Jun 05)